fix(lambda): unable to add permissions to imported lambda functions

packages/@aws-cdk/aws-lambda/lib/alias.ts

@@ -97,7 +97,7 @@ export class Alias extends QualifiedFunctionBase implements IAlias {
       public readonly grantPrincipal = attrs.aliasVersion.grantPrincipal;
       public readonly role = attrs.aliasVersion.role;
 
-      protected readonly canCreatePermissions = false;
+      protected readonly canCreatePermissions = this._isStackAccount();
       protected readonly qualifier = attrs.aliasName;
     }
     return new Imported(scope, id);

packages/@aws-cdk/aws-lambda/lib/function-base.ts

@@ -1,7 +1,7 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
-import { ConstructNode, IResource, Resource } from '@aws-cdk/core';
+import { ConstructNode, IResource, Resource, Token } from '@aws-cdk/core';
 import { AliasOptions } from './alias';
 import { EventInvokeConfig, EventInvokeConfigOptions } from './event-invoke-config';
 import { IEventSource } from './event-source';
@@ -182,7 +182,8 @@ export abstract class FunctionBase extends Resource implements IFunction {
   /**
    * Whether the addPermission() call adds any permissions
    *
-   * True for new Lambdas, false for imported Lambdas (they might live in different accounts).
+   * True for new Lambdas, false for version $LATEST and imported Lambdas
+   * from different accounts.
    */
   protected abstract readonly canCreatePermissions: boolean;
 
@@ -346,6 +347,27 @@ export abstract class FunctionBase extends Resource implements IFunction {
     return this.node;
   }
 
+  /**
+   * Given the function arn, check if the account id matches this account
+   *
+   * Function ARNs look like this:
+   *
+   *   arn:aws:lambda:region:account-id:function:function-name
+   *
+   * ..which means that in order to extract the `account-id` component from the ARN, we can
+   * split the ARN using ":" and select the component in index 4.
+   *
+   * @returns true if account id of function matches this account
+   *
+   * @internal
+   */
+  protected _isStackAccount(): boolean {
+    if (Token.isUnresolved(this.stack.account) || Token.isUnresolved(this.functionArn)) {
+      return false;
+    }
+    return this.stack.parseArn(this.functionArn).account === this.stack.account;
+  }
+
   /**
    * Translate IPrincipal to something we can pass to AWS::Lambda::Permissions
    *
@@ -431,7 +453,7 @@ class LatestVersion extends FunctionBase implements IVersion {
   public readonly version = '$LATEST';
   public readonly permissionsNode = this.node;
 
-  protected readonly canCreatePermissions = true;
+  protected readonly canCreatePermissions = false;
 
   constructor(lambda: FunctionBase) {
     super(lambda, '$LATEST');

packages/@aws-cdk/aws-lambda/lib/function.ts

@@ -382,7 +382,7 @@ export class Function extends FunctionBase {
       public readonly role = role;
       public readonly permissionsNode = this.node;
 
-      protected readonly canCreatePermissions = false;
+      protected readonly canCreatePermissions = this._isStackAccount();
 
       constructor(s: Construct, i: string) {
         super(s, i);

packages/@aws-cdk/aws-lambda/lib/lambda-version.ts

@@ -128,7 +128,7 @@ export class Version extends QualifiedFunctionBase implements IVersion {
       public readonly role = lambda.role;
 
       protected readonly qualifier = version;
-      protected readonly canCreatePermissions = false;
+      protected readonly canCreatePermissions = this._isStackAccount();
 
       public addAlias(name: string, opts: AliasOptions = { }): Alias {
         return addAlias(this, this, name, opts);
@@ -154,7 +154,7 @@ export class Version extends QualifiedFunctionBase implements IVersion {
       public readonly role = attrs.lambda.role;
 
       protected readonly qualifier = attrs.version;
-      protected readonly canCreatePermissions = false;
+      protected readonly canCreatePermissions = this._isStackAccount();
 
       public addAlias(name: string, opts: AliasOptions = { }): Alias {
         return addAlias(this, this, name, opts);

packages/@aws-cdk/aws-lambda/test/test.lambda.ts

@@ -283,6 +283,59 @@ export = {
     // THEN
     test.deepEqual(imported.functionArn, 'arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords');
     test.deepEqual(imported.functionName, 'ProcessKinesisRecords');
+    expect(stack2).notTo(haveResource('AWS::Lambda::Permission'));
+    test.done();
+  },
+
+  'imported Function w/ resolved account and function arn can addPermissions'(test: Test) {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, 'Imports', {
+      env: { account: '123456789012', region: 'us-east-1' },
+    });
+    const stack2 = new cdk.Stack(app, 'imported', {
+      env: { account: '123456789012', region: 'us-east-1' },
+    });
+    new lambda.Function(stack, 'BaseFunction', {
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.NODEJS_10_X,
+    });
+
+    // WHEN
+    const iFunc = lambda.Function.fromFunctionAttributes(stack2, 'iFunc', {
+      functionArn: 'arn:aws:lambda:us-east-1:123456789012:function:BaseFunction',
+    });
+    iFunc.addPermission('iFunc', {
+      principal: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
+    });
+
+    // THEN
+    expect(stack2).to(haveResource('AWS::Lambda::Permission'));
+    test.done();
+  },
+
+  'imported Function w/o account cannot addPermissions'(test: Test) {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, 'Base');
+    const importedStack = new cdk.Stack(app, 'Imported');
+    new lambda.Function(stack, 'BaseFunction', {
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.NODEJS_10_X,
+    });
+
+    // WHEN
+    const iFunc = lambda.Function.fromFunctionAttributes(importedStack, 'iFunc', {
+      functionArn: 'arn:aws:lambda:us-east-1:123456789012:function:BaseFunction',
+    });
+    iFunc.addPermission('iFunc', {
+      principal: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
+    });
+
+    // THEN
+    expect(importedStack).notTo(haveResource('AWS::Lambda::Permission'));
     test.done();
   },